2024-09-16 15:29:09 +02:00
|
|
|
import { apiRoute, applyConfig } from "@/api";
|
2024-05-29 02:59:49 +02:00
|
|
|
import { oauthRedirectUri } from "@/constants";
|
2024-09-16 15:29:09 +02:00
|
|
|
import { createRoute } from "@hono/zod-openapi";
|
2024-08-28 17:01:56 +02:00
|
|
|
import type { Context } from "hono";
|
2023-12-06 23:10:22 +01:00
|
|
|
import {
|
2024-04-07 07:30:49 +02:00
|
|
|
calculatePKCECodeChallenge,
|
|
|
|
|
discoveryRequest,
|
|
|
|
|
generateRandomCodeVerifier,
|
|
|
|
|
processDiscoveryResponse,
|
2023-12-06 23:10:22 +01:00
|
|
|
} from "oauth4webapi";
|
2024-05-06 09:16:33 +02:00
|
|
|
import { z } from "zod";
|
2024-05-29 02:59:49 +02:00
|
|
|
import { db } from "~/drizzle/db";
|
|
|
|
|
import { OpenIdLoginFlows } from "~/drizzle/schema";
|
|
|
|
|
import { config } from "~/packages/config-manager";
|
2023-12-06 23:10:22 +01:00
|
|
|
|
|
|
|
|
export const meta = applyConfig({
|
2024-04-07 07:30:49 +02:00
|
|
|
allowedMethods: ["GET"],
|
|
|
|
|
auth: {
|
|
|
|
|
required: false,
|
|
|
|
|
},
|
|
|
|
|
ratelimits: {
|
|
|
|
|
duration: 60,
|
|
|
|
|
max: 20,
|
|
|
|
|
},
|
2024-05-17 03:49:59 +02:00
|
|
|
route: "/oauth/sso",
|
2023-12-06 23:10:22 +01:00
|
|
|
});
|
|
|
|
|
|
2024-05-06 09:16:33 +02:00
|
|
|
export const schemas = {
|
|
|
|
|
query: z.object({
|
|
|
|
|
issuer: z.string(),
|
2024-05-17 03:49:59 +02:00
|
|
|
client_id: z.string().optional(),
|
2024-05-17 08:58:27 +02:00
|
|
|
redirect_uri: z.string().url().optional(),
|
|
|
|
|
scope: z.string().optional(),
|
|
|
|
|
response_type: z.enum(["code"]).optional(),
|
2024-05-06 09:16:33 +02:00
|
|
|
}),
|
|
|
|
|
};
|
2023-12-06 23:10:22 +01:00
|
|
|
|
2024-09-16 15:29:09 +02:00
|
|
|
const route = createRoute({
|
|
|
|
|
method: "get",
|
|
|
|
|
path: "/oauth/sso",
|
|
|
|
|
summary: "Initiate SSO login flow",
|
|
|
|
|
request: {
|
|
|
|
|
query: schemas.query,
|
|
|
|
|
},
|
|
|
|
|
responses: {
|
|
|
|
|
302: {
|
|
|
|
|
description:
|
|
|
|
|
"Redirect to SSO login, or redirect to login page with error",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
|
2024-08-28 17:01:56 +02:00
|
|
|
const returnError = (
|
|
|
|
|
context: Context,
|
|
|
|
|
query: object,
|
|
|
|
|
error: string,
|
|
|
|
|
description: string,
|
|
|
|
|
) => {
|
2024-05-06 09:16:33 +02:00
|
|
|
const searchParams = new URLSearchParams();
|
2023-12-06 23:10:22 +01:00
|
|
|
|
2024-05-06 09:16:33 +02:00
|
|
|
// Add all data that is not undefined except email and password
|
|
|
|
|
for (const [key, value] of Object.entries(query)) {
|
2024-06-13 04:26:43 +02:00
|
|
|
if (key !== "email" && key !== "password" && value !== undefined) {
|
2024-05-06 09:16:33 +02:00
|
|
|
searchParams.append(key, value);
|
2024-06-13 04:26:43 +02:00
|
|
|
}
|
2024-04-07 07:30:49 +02:00
|
|
|
}
|
2023-12-06 23:10:22 +01:00
|
|
|
|
2024-05-06 09:16:33 +02:00
|
|
|
searchParams.append("error", error);
|
|
|
|
|
searchParams.append("error_description", description);
|
2023-12-07 00:34:56 +01:00
|
|
|
|
2024-08-28 17:01:56 +02:00
|
|
|
return context.redirect(
|
|
|
|
|
`${config.frontend.routes.login}?${searchParams.toString()}`,
|
|
|
|
|
);
|
2024-05-06 09:16:33 +02:00
|
|
|
};
|
|
|
|
|
|
2024-08-19 20:06:38 +02:00
|
|
|
export default apiRoute((app) =>
|
2024-09-16 15:29:09 +02:00
|
|
|
app.openapi(route, async (context) => {
|
|
|
|
|
// This is the Versia client's client_id, not the external OAuth provider's client_id
|
|
|
|
|
const { issuer: issuerId, client_id } = context.req.valid("query");
|
|
|
|
|
const body = await context.req.query();
|
|
|
|
|
|
|
|
|
|
if (!client_id || client_id === "undefined") {
|
|
|
|
|
return returnError(
|
|
|
|
|
context,
|
|
|
|
|
body,
|
|
|
|
|
"invalid_request",
|
|
|
|
|
"client_id is required",
|
2024-05-06 09:16:33 +02:00
|
|
|
);
|
2024-09-16 15:29:09 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const issuer = config.oidc.providers.find(
|
|
|
|
|
(provider) => provider.id === issuerId,
|
|
|
|
|
);
|
2024-05-06 09:16:33 +02:00
|
|
|
|
2024-09-16 15:29:09 +02:00
|
|
|
if (!issuer) {
|
|
|
|
|
return returnError(
|
|
|
|
|
context,
|
|
|
|
|
body,
|
|
|
|
|
"invalid_request",
|
|
|
|
|
"issuer is invalid",
|
2024-05-06 09:16:33 +02:00
|
|
|
);
|
2024-09-16 15:29:09 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const issuerUrl = new URL(issuer.url);
|
|
|
|
|
|
|
|
|
|
const authServer = await discoveryRequest(issuerUrl, {
|
|
|
|
|
algorithm: "oidc",
|
|
|
|
|
}).then((res) => processDiscoveryResponse(issuerUrl, res));
|
|
|
|
|
|
|
|
|
|
const codeVerifier = generateRandomCodeVerifier();
|
|
|
|
|
|
|
|
|
|
const application = await db.query.Applications.findFirst({
|
|
|
|
|
where: (application, { eq }) => eq(application.clientId, client_id),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!application) {
|
|
|
|
|
return returnError(
|
|
|
|
|
context,
|
|
|
|
|
body,
|
|
|
|
|
"invalid_request",
|
|
|
|
|
"client_id is invalid",
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Store into database
|
|
|
|
|
const newFlow = (
|
|
|
|
|
await db
|
|
|
|
|
.insert(OpenIdLoginFlows)
|
|
|
|
|
.values({
|
|
|
|
|
codeVerifier,
|
|
|
|
|
applicationId: application.id,
|
|
|
|
|
issuerId,
|
|
|
|
|
})
|
|
|
|
|
.returning()
|
|
|
|
|
)[0];
|
|
|
|
|
|
|
|
|
|
const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);
|
|
|
|
|
|
|
|
|
|
return context.redirect(
|
|
|
|
|
`${authServer.authorization_endpoint}?${new URLSearchParams({
|
|
|
|
|
client_id: issuer.client_id,
|
|
|
|
|
redirect_uri: `${oauthRedirectUri(issuerId)}?flow=${
|
|
|
|
|
newFlow.id
|
|
|
|
|
}`,
|
|
|
|
|
response_type: "code",
|
|
|
|
|
scope: "openid profile email",
|
|
|
|
|
// PKCE
|
|
|
|
|
code_challenge_method: "S256",
|
|
|
|
|
code_challenge: codeChallenge,
|
|
|
|
|
}).toString()}`,
|
|
|
|
|
);
|
|
|
|
|
}),
|
2024-08-19 20:06:38 +02:00
|
|
|
);
|
